CVE-2022-21698
Uncontrolled Resource Consumption in promhttp
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
client_golang es la biblioteca de instrumentación para aplicaciones Go en Prometheus, y el paquete promhttp en client_golang proporciona herramientas en torno a los servidores y clientes HTTP. En client_golang versiones anteriores a 1.11.1, el servidor HTTP es susceptible de una Denegación de Servicio mediante una cardinalidad no limitada, y un potencial agotamiento de la memoria, cuando es manejado peticiones con métodos HTTP no estándar. Para ser afectado, un software instrumentado debe usar cualquiera de los middleware "promhttp.InstrumentHandler*" excepto "RequestsInFlight"; no filtrar ningún método específico (por ejemplo GET) antes del middleware; pasar la métrica con el nombre de la etiqueta "method" a nuestro middleware; y no presentar ningún firewall/LB/proxy que filtre las peticiones con "method" desconocido. client_golang versión 1.11.1 contiene un parche para este problema. Se presentan varias medidas de mitigación disponibles, incluyendo la eliminación del nombre de la etiqueta "method" del contador/calibre usado en el InstrumentHandler; la deshabilitación de los manejadores promhttp afectados; la adición de un middleware personalizado antes del manejador promhttp que sanee el método de petición dado por Go http.Request; y el uso de un proxy inverso o un firewall de aplicaciones web, configurado para permitir sólo un conjunto limitado de métodos
A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-02-15 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
- CWE-772: Missing Release of Resource after Effective Lifetime
CAPEC
References (24)
URL | Tag | Source |
---|---|---|
https://github.com/prometheus/client_golang/releases/tag/v1.11.1 | Release Notes | |
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/prometheus/client_golang/pull/962 | 2023-11-07 | |
https://github.com/prometheus/client_golang/pull/987 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Prometheus Search vendor "Prometheus" | Client Golang Search vendor "Prometheus" for product "Client Golang" | < 1.11.1 Search vendor "Prometheus" for product "Client Golang" and version " < 1.11.1" | go |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Extra Packages For Enterprise Linux Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" | 7.0 Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" and version "7.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Extra Packages For Enterprise Linux Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" | 8.0 Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
Rdo Project Search vendor "Rdo Project" | Rdo Search vendor "Rdo Project" for product "Rdo" | - | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
|